[webkit-changes] [WebKit/WebKit] bc160f: [JSC] TypedArray `in` can return false when it is ...
Yusuke Suzuki
noreply at github.com
Tue Aug 20 16:24:02 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: bc160f134e548b8d491b1053d18f3e069bcae701
https://github.com/WebKit/WebKit/commit/bc160f134e548b8d491b1053d18f3e069bcae701
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-08-20 (Tue, 20 Aug 2024)
Changed paths:
M Source/JavaScriptCore/bytecode/AccessCase.cpp
M Source/JavaScriptCore/bytecode/AccessCase.h
M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
M Source/JavaScriptCore/bytecode/Repatch.cpp
Log Message:
-----------
[JSC] TypedArray `in` can return false when it is OOB in IC
https://bugs.webkit.org/show_bug.cgi?id=278414
rdar://134366042
Reviewed by Yijia Huang.
Since TypedArray does not traverse [[Prototype]] for indexed integer accesses (including negative numbers), we can just return `false`
for `in` IC when it is out of bounds. This patch renames TypedArray InHit IC to In IC and add fast path returning false with OOB profile flag.
* Source/JavaScriptCore/bytecode/AccessCase.cpp:
(JSC::AccessCase::create):
(JSC::AccessCase::guardedByStructureCheckSkippingConstantIdentifierCheck const):
(JSC::AccessCase::requiresIdentifierNameMatch const):
(JSC::AccessCase::requiresInt32PropertyCheck const):
(JSC::AccessCase::forEachDependentCell const):
(JSC::AccessCase::doesCalls const):
(JSC::AccessCase::canReplace const):
(JSC::AccessCase::runWithDowncast):
(JSC::AccessCase::canBeShared):
* Source/JavaScriptCore/bytecode/AccessCase.h:
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::toTypedArrayType):
(JSC::forResizableTypedArray):
(JSC::needsScratchFPR):
(JSC::forInBy):
(JSC::isStateless):
(JSC::doesJSCalls):
(JSC::isMegamorphic):
(JSC::canBeViaGlobalProxy):
(JSC::InlineCacheCompiler::generateWithGuard):
(JSC::InlineCacheCompiler::generateAccessCase):
* Source/JavaScriptCore/bytecode/Repatch.cpp:
(JSC::tryCacheArrayInByVal):
Canonical link: https://commits.webkit.org/282530@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list